Proprietary Insecurity

Nonfree (proprietary) software is very often malware (designed to
mistreat the user). Nonfree software is controlled by its developers,
which puts them in a position of power over the users; that is the
basic injustice. The developers often exercise that power to the
detriment of the users they ought to serve.

This page lists clearly established cases of insecurity in
proprietary software that has grave consequences or is otherwise
noteworthy.

It is incorrect to compare free software with a fictitious idea of
proprietary software as perfect, but the press often implicitly does
that whenever a security hole in a free program is discovered. The
examples below show that proprietary software isn't perfect, and
is often quite sloppy.

It would be equally incorrect to compare proprietary software with
a fictitious idea of free software as perfect. Every nontrivial
program has bugs, and any system, free or proprietary, may have
security errors. To err is human, and not culpable. But proprietary
software developers frequently disregard gaping holes, or even
introduce them deliberately. In any case, they keep users
helpless to fix any security problems that arise. Keeping the
users helpless is what's culpable about proprietary software.

Conexant HD Audio Driver Package (version 1.0.0.46 and earlier)
pre-installed on 28 models of HP laptops logged the user's
keystroke to a file in the filesystem. Any process with access to
the filesystem or the MapViewOfFile API could gain access to the
log. Furthermore, according
to modzero the “information-leak via Covert Storage
Channel enables malware authors to capture keystrokes without
taking the risk of being classified as malicious task by AV
heuristics”.

It does not help that in newer Intel processors, it is impossible
to turn off the Intel Management Engine. Thus, even users who are
proactive about their security can do nothing to protect themselves
besides using machines that don't come with the backdoor.

For example, a cracker can gain access to the dishwasher's filesystem,
infect it with malware, and force the dishwasher to launch attacks on other
devices in the network. Since these dishwashers are used in hospitals, such
attacks could potentially put hundreds of lives at risk.

The developers say that it wasn't intended as a back door, and that
may well be true. But that leaves the crucial question of whether it
functions as one. Because the program is nonfree, we cannot check by
studying it.

The “smart” toys My Friend Cayla and i-Que can be
remotely controlled with a mobile phone; physical access
is not necessary. This would enable crackers to listen in on a child's
conversations, and even speak into the toys themselves.

This means a burglar could speak into the toys and ask the child to
unlock the front door while Mommy's not looking.

This is in addition to the fact that the car contains a cellular
modem that tells big brother all the time where it is. If you own
such a car, it would be wise to disconnect the modem so as to turn off
the tracking.

That's easy to do because the system has no authentication when
accessed through the modem. However, even if it asked for
authentication, you couldn't be confident that Nissan has no
access. The software in the car is
proprietary, which
means it demands blind faith from its users.

Even if no one connects to the car remotely, the cell phone modem
enables the phone company to track the car's movements all the time;
it is possible to physically remove the cell phone modem though.

A camera that records locally on physical media, and has no network
connection, does not threaten people with surveillance—neither by
watching people through the camera, nor through malware in the camera.

FitBit fitness trackers
have a Bluetooth vulnerability that allows
attackers to send malware to the devices, which can subsequently spread
to computers and other FitBit trackers that interact with them.

“Self-encrypting” disk drives do the encryption with proprietary
firmware so you can't trust it. Western Digital's “My Passport”
drives
have a back door.

An app to prevent “identity theft” (access to personal data)
by storing users' data on a special server
was
deactivated by its developer which had discovered a security flaw.

That developer seems to be conscientious about protecting personal
data from third parties in general, but it can't protect that data
from the state. Quite the contrary: confiding your data to someone
else's server, if not first encrypted by you with free software,
undermines your rights.

We don't call this a “back door” because it is normal
that you can install a new system in a computer given physical access
to it. However, memory sticks and cards should not be modifiable in
this way.